Identifying How Firms Manage Cybersecurity Investment
نویسندگان
چکیده
We report on a set of 40 semi-structured interviews with information security executives and managers at a variety of firms and government agencies. The purpose of the interviews was to learn more about how organizations make cybersecurity investment decisions: how much support they receive to execute their mission, how they prioritize which threats to defend against, and how they choose between competing security controls. We find that most private sector executives believe that their firms adequately fund cybersecurity, but that finding qualified personnel inhibits the pace of adoption of new controls. Most firms do not calculate return on investment (ROI) or other outcome-based quantitative investment metrics; instead, they opt for processbased frameworks such as NIST and COBIT to guide strategic investment decisions. Finally, we note that CISOs in government face considerable challenges compared to their private-sector counterparts.
منابع مشابه
Empirical Evidence on the Determinants of Cybersecurity Investments in Private Sector Firms
Investments in cybersecurity are critical to the national and economic security of a nation. There is, however, a strong tendency for firms in the private sector to underinvest in cybersecurity activities. This paper reports the results of a survey designed to empirically assess whether treating cybersecurity as an important component of a firm’s internal control system for financial reporting ...
متن کاملMultifirm models of cybersecurity investment competition vs. cooperation and network vulnerability
In this paper, we develop and compare three distinct models for cybersecurity investment in competitive and cooperative situations to safeguard against potential and ongoing threats. We introduce a Nash equilibrium model of noncooperation in terms of cybersecurity levels of the firms involved, which is formulated, analyzed, and solved using variational inequality theory. The equilibrium of this...
متن کاملIncreasing cybersecurity investments in private sector firms
The primary objective of this article is to develop an economics-based analytical framework for assessing the impact of government incentives/regulations designed to offset the tendency to underinvest in cybersecurity related activities by private sector firms. The analysis provided in the article shows that the potential for government incentives/regulations to increase cybersecurity investmen...
متن کاملWhich Investments Do Firms Protect? Liquidity Management and Real Adjustments When Access to Finance Falls Sharply
We study how firms engaged in both R&D and fixed investment manage liquidity and adjust real investment during the recent financial crisis. Among firms with positive R&D expenditures, cuts to fixed investment in the crisis are typically far more severe than cuts to R&D. These firms allocate cash reserves to buffer R&D but do not use cash to protect fixed investment. Some firms appear to go so f...
متن کاملThe Effect of Firm's Use from Information Technology (IT) on Total Productivity
Abstract O ur basic aim in this paper concerns the question that if overusing the Information Technology by service and manufacturing firms can increase the total productivity resulting from this kind of technology regarding the Iran's economic structure and conditions. For this purpose, we primarily evaluate the productivity resulting from the rate of firms' use of IT for...
متن کامل